There are two types of XSS: stored XSS and normal XSS.
Normal XSS is bad enough, stored XSS is awful.
Take a look at this: http://www.fujifilm.co.uk/search/search ... rch=Search
That is normal XSS.
I can't get an example of any stored XSS because I've only seen one example of it, and I reported it and it's now fixed. However, stored XSS is where the code you place on their website is stored - i.e. in a comments box, or a post on a forum. The implications of this are simple: you do not have to be tricked into visiting that webpage.
Now what's up with XSS?
Well say I emailed you - pretending to be PayPal - and said "blah blah blah visit our website - payypal.com and sign in etc", you would be able to tell that is a fake email, due to "payypal.com".
Now if I sent you the same email but with a link to paypal.com/[XSS String], you would find it much harder to tell the difference and as soon as you click the link, your login cookie is stolen or you're given a fake login page etc.
I know this isn't a particularly good explanation but I will be writing an article on it soonish, with pictures etc.
Hope this helped.